b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Managers and System Administrators Need to Limit\n                    Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n                                             July 2005\n\n                              Reference Number: 2005-20-097\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-927-7037\n Email Address | Luis.Garcia@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                July 8, 2005\n\n\nMEMORANDUM FOR CHIEF INFORMATION OFFICER\n               CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n\n\nFROM:                        Pamela J. Gardiner\n                             Deputy Inspector General for Audit\n\nSUBJECT:                     Final Audit Report \xe2\x80\x93 Managers and System Administrators Need to\n                             Limit Employees\xe2\x80\x99 Access to Computer Systems (Audit # 200420036)\n\nThis report presents the results of our review to assess the effectiveness of the Internal Revenue\nService\xe2\x80\x99s (IRS) controls over authorizing user access to its computer systems. A fundamental\nprinciple of effective computer security is employees should be given access to only those\nsystems and applications for which they have a business need. Giving employees access beyond\ntheir job responsibilities creates unnecessary opportunities for unauthorized access to or misuse\nof tax return data, such as selling data for identity theft purposes.\nIn prior Treasury Inspector General for Tax Administration reviews, we have identified\nweaknesses where IRS employees or former employees had unnecessary access to tax data. The\nIRS implemented the Online 5081 (OL5081) system1 in July 2002 to address these deficiencies.\n\nSynopsis\nBy implementing the OL5081 system and related processes, the IRS has taken a major step to\nimprove the process of authorizing user access to IRS systems. For example, the automated\nprocess for requesting and approving access to systems is less cumbersome and eliminates the\nneed for paper forms to be sent and received by various parties throughout the process.\nAuthorizing access to an account, which took weeks using the paper Information System User\nRegistration/Change Request (Form 5081), can now be done as quickly as 1 day.\n\n\n1\n The OL5081 system was named after the Information System User Registration/Change Request (Form 5081) the\nIRS uses to request and authorize user accounts for employees on all systems. The OL5081 system automates some\nof the manual processes and provides a centralized system for all system access authorizations.\n\x0c                              Managers and System Administrators Need to Limit\n                                  Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\nNevertheless, we identified the same three problems we reported before the implementation of\nthe OL5081 system. These weaknesses continue to occur because managers and system\nadministrators have not adhered to the OL5081 system procedures.\nFirst, managers and system administrators did not ensure user accounts for employees were\nremoved from systems when employees left the IRS, transferred to another function, or changed\njob responsibilities. Keeping these user accounts active increased the risk they could be used for\nunauthorized disclosure of taxpayer data.\nSecond, managers and system administrators did not have documentation of employees\xe2\x80\x99 access\nauthorizations. One possibility is managers did not ensure all system users were added to the\nOL5081 system when the IRS converted from paper to the automated system. Another\nexplanation is system administrators may have granted employees access to systems without\nproper authorization from the employees\xe2\x80\x99 managers. Without the required documentation,\naccountability for authorizing access could not be determined. The lack of documentation to\nsupport employee access increases the risk that employees could have more access than needed.\nFinally, those employees not included on the OL5081 system were never required to\nacknowledge awareness of their security responsibilities. In addition, some managers and\nemployees did not appear to act on reminders generated by the OL5081 system to recertify their\nawareness of security policies and procedures. Requiring employees to acknowledge security\nrules before being granted access to a system and requiring annual recertification promotes\nemployee awareness of security policies and can make the IRS a more security-minded\norganization.\n\nRecommendations\nWe recommended the Chief Information Officer enforce current procedures by configuring\nsystems to automatically disable users\xe2\x80\x99 accounts after 45 days of inactivity and to automatically\ndelete the accounts after 90 days of inactivity. We also recommended the OL5081 system be\nenhanced to automatically generate notifications to system administrators when employees have\nnot recertified their awareness of security rules within 45 days. System administrators should\ndisable access privileges for those employees until they reapply for access and recertify their\nawareness of security rules. We also recommended the Chief, Mission Assurance and Security\nServices, coordinate with the business units to include tests of access controls during annual\nself-assessments required by the Federal Information Security Management Act (FISMA).2\n\n\n\n\n2\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                                    2\n\x0c                       Managers and System Administrators Need to Limit\n                           Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\nResponse\nThe IRS agreed with our recommendations. However, it noted that disabling and deleting\naccounts for inactivity cannot be applied to all systems. Certain systems exist where employee\ninactivity beyond the recommended time periods is normal. These systems require employee\naccess only upon completion of a specific activity, such as travel and training. We concur with\nthese comments.\nThe Chief Information Officer will issue a revised policy statement requiring the timely deletion\nor disabling of inactive accounts in accordance with current procedures and the evaluation of the\nfeasibility of automating the deletion and disabling of unused accounts. In addition, the Chief\nInformation Officer implemented enhancements to the OL5081 system so employees and\nmanagers will be unable to perform any actions on a system until annual recertifications have\noccurred. The Chief, Mission Assurance and Security Services, will coordinate with the other\nbusiness units for conducting testing of access controls, as part of the IRS\xe2\x80\x99 annual FISMA\nprocesses. Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                  3\n\x0c                                 Managers and System Administrators Need to Limit\n                                     Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                               Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Online 5081 System Improves the User Account\n          Authorization Process ...................................................................................Page 3\n          Managers and System Administrators Did Not Carry Out\n          Their Responsibilities ...................................................................................Page 3\n                    Recommendations 1 and 2: ................................................Page 8\n\n                    Recommendation 3: .................................................................... Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\n          Appendix IV \xe2\x80\x93 List of Treasury Inspector General for Tax\n          Administration Audit Reports With Unauthorized or Unnecessary\n          User Accounts Issues ....................................................................................Page 14\n          Appendix V \xe2\x80\x93 Description of Internal Revenue Service Automated\n          Systems Selected for Review........................................................................Page 15\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 16\n\x0c                           Managers and System Administrators Need to Limit\n                               Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) has over 300 computer systems to process and maintain over\n222 million tax returns. The data in these systems are considered sensitive and require protection\nfrom unauthorized use, modification, disclosure, and destruction. The importance of protecting\nthese data was illustrated when the President signed into law the Taxpayer Browsing Protection\nAct of 1997.1 This Act makes the willful unauthorized access and inspection of taxpayer records\na crime.\nA fundamental principle of effective computer security is\nemployees should be given access to only those systems and\napplications for which they have a business need. Giving                The IRS requires that\nemployees access beyond their job responsibilities creates          employees be given access to\nunnecessary opportunities for unauthorized access to or             only those systems they need\n                                                                          to execute their job\nmisuse of tax return data, such as selling data for identity                responsibilities.\ntheft purposes. To limit the opportunities for misuse of\nsensitive data, the IRS requires that employees be given\naccess to only those systems they need to execute their job\nresponsibilities. To fulfill this requirement, the IRS established the Information System User\nRegistration/Change Request (Form 5081) to request and authorize employees\xe2\x80\x99 system user\naccounts.\nThe IRS has acknowledged that procedures associated with the Form 5081 process were not\nbeing followed as intended. For example, user accounts for employees who had separated from\nthe IRS were not deleted from systems, or Form 5081 documentation was not being maintained\nto support proper authorization for access to systems. Since 1998, the IRS had also designated\nthe Separating Employee Clearance process as a significant control deficiency under the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982.2 The deficiency mainly deals with processes related\nto employees who leave the IRS, which includes the management and deletion of user accounts\nfor separated employees.\n\n\n\n1\n  26 U.S.C.A. \xc2\xa7\xc2\xa7 7213, 7213A, 7431 (West Supp. 2003).\n2\n  31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000). This Act requires Federal Government agencies to annually assess the\nadequacy of controls and identify any areas of control weaknesses, designated as either material weaknesses or\nsignificant control deficiencies. The Department of the Treasury defines material weaknesses as \xe2\x80\x9cshortcomings in\noperations or systems which, among other things, severely impair or threaten the organization\xe2\x80\x99s ability to\naccomplish its mission or to prepare timely, accurate financial statements.\xe2\x80\x9d Significant control deficiencies are\ndefined as \xe2\x80\x9cproblematic issues which do not rise to the level of materiality, but which warrant special management\nattention to ensure improvement, rather than deterioration to the point where they become material weaknesses.\xe2\x80\x9d\n                                                                                                            Page 1\n\x0c                          Managers and System Administrators Need to Limit\n                              Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\nPrior Treasury Inspector General for Tax Administration (TIGTA) reviews have also identified\nsimilar problems as they related to the Form 5081 process. Appendix IV presents a list of prior\naudit reports that contain these types of issues.\nTo address these deficiencies, the IRS automated the process by developing the\nOnline 5081 (OL5081) system.3 In implementing this system in October 2002, the former\nDeputy Commissioner required all IRS managers to conduct a thorough review of their\nemployees\xe2\x80\x99 access profiles and complete an OL5081 system record for each of their employees\nwith current access privileges. Additionally, in May 2004, the Acting Director, End User\nEquipment and Services (EUES), required the use of paper Forms 5081 be terminated by\nNovember 2004. In December 2004, the EUES organization completed improvements to the\nOL5081 system, including giving the system a more user-friendly appearance and expanding\nscreen instructions and menu accessibility.\nThe following five systems were judgmentally selected for our review. Appendix V provides a\ndescription of these systems.\n    \xe2\x80\xa2   Appeals Centralized Database System (ACDS).\n    \xe2\x80\xa2   Automated Collection System (ACS).\n    \xe2\x80\xa2   Automated Underreporter System (AUR).\n    \xe2\x80\xa2   Integrated Case Processing (ICP).\n    \xe2\x80\xa2   Taxpayer Advocate Management Information System (TAMIS).\nThis review was performed in the Office of Information Technology Services at the IRS National\nHeadquarters in Washington, D.C., during the period July 2004 through January 2005. We also\ncontacted managers located in several IRS locations. The audit was conducted in accordance\nwith Government Auditing Standards. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n3\n The OL5081 system was named after the Form 5081 the IRS uses to request and authorize user accounts for\nemployees on all systems. The OL5081 system automates some of the manual processes and provides a centralized\nsystem for all system access authorizations.\n                                                                                                      Page 2\n\x0c                       Managers and System Administrators Need to Limit\n                           Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                Results of Review\n\nThe Online 5081 System Improves the User Account Authorization\nProcess\n\nBy implementing the OL5081 system in July 2002, the IRS has taken a major step to improve the\nprocess of authorizing user access to IRS systems. The automated\nprocess for requesting and approving access to systems is less     The IRS has taken a major\ncumbersome and eliminates the need for paper forms to be sent     step to improve the process\nand received by various parties throughout the process.           of authorizing user access to\nAuthorizing access to an account, which previously took weeks         its computer systems.\nusing paper Forms 5081, can now be done in as fast as 1 day. The\nOL5081 system is used to grant access to almost all IRS systems.\nThe OL5081 system process starts with an employee completing an online Form 5081 with all\nrequired information. When the employee completes the request, the OL5081 system sends an\nemail message to the employee\xe2\x80\x99s manager regarding the request. The manager then accesses the\nOL5081 system to approve the request. Once the request has been approved, the OL5081 system\ngenerates an email to the system administrator who creates the user account. The user is then\nnotified his or her user account is active and ready for access.\nTo delete a user who no longer has a need to access a system, the manager initiates the removal\nprocess on the OL5081 system. An email is then sent to the system administrator to remove the\naccount.\nIn addition to expediting the addition and removal of employees\xe2\x80\x99 access rights to a system, the\nOL5081 system is also used to document that employees have certified they understand IRS\nsecurity rules. IRS procedures require employees to make this certification annually as a means\nto enhance security awareness and understanding.\n\n\nManagers and System Administrators Did Not Carry Out Their\nResponsibilities\n\nAlthough the OL5081 system automates the process for creating and deleting user accounts,\ncertain responsibilities continue to rely on human initiation and intervention. For example,\nmanagers must ensure employees need access to a system before granting access and promptly\nnotify system administrators to remove employees from a system when access is no longer\n\n                                                                                         Page 3\n\x0c                              Managers and System Administrators Need to Limit\n                                  Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\nnecessary. Managers are also required to annually review the appropriateness of their\nemployees\xe2\x80\x99 access privileges.\nIn turn, system administrators are responsible for adding and removing system users when\nauthorized, monitoring users\xe2\x80\x99 accesses, maintaining an up-to-date list of authorized users, and\nannually generating a list of current system users and their access profiles to provide to the\nappropriate managers for review.\nThe Federal Information Security Management Act (FISMA)4 requires business units to annually\nconduct self-assessments of the security of their systems. Access to computer systems should be\nevaluated as part of these self-assessments to determine whether managers and employees have\nimplemented the controls effectively.\nHowever, our review of the five systems identified employees who:\n       \xe2\x80\xa2   Had access to systems they did not need to assist them in carrying out their\n           responsibilities.\n       \xe2\x80\xa2   Had access to systems that were not properly authorized and documented.\n       \xe2\x80\xa2   Had not certified they were aware of IRS security procedures.\nThese conditions occurred because managers and system administrators did not adhere to\nOL5081 system procedures. In addition, prior FISMA self-assessments had not addressed access\ncontrols.\n\nEmployees had access to systems they did not need\n\nIn our review of the 5 systems, we identified 139 (21 percent) of 652 employees with active user\naccounts who, according to their managers, no longer had a business need to have system access.\nTable 1 presents these numbers by the systems reviewed.\n\n\n\n\n4\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                           Page 4\n\x0c                        Managers and System Administrators Need to Limit\n                            Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n             Table 1: Active Accounts With and Without a Business Need\n\n\n       Systems     Number of       Number of        Number of Users      Number of Users\n                   Total Users    Users in Our         Without a         With a Business\n                                    Sample           Business Need            Need\n       ACDS           2,464            113                   5                 108\n       ACS            5,297            166                   26                140\n       AUR            2,319             88                   17                 71\n       ICP            34,342           167                   82                 85\n       TAMIS          3,235            118                   9                 109\n         Total        47,657           652                139                  513\n\n       Source: TIGTA analysis.\n\nDiscussions with managers of the system account users identified the following reasons why\naccess was no longer needed.\n   \xe2\x80\xa2   Employees (54) had separated from the IRS and their managers agreed their access rights\n       should have been removed. One employee who still had access separated from the IRS\n       over 2 years before our review.\n   \xe2\x80\xa2   Employees (47) were transferred to other positions.\n   \xe2\x80\xa2   Employees (38) remained in their current positions but no longer needed access to the\n       system due to changing job duties.\nManagers and system administrators did not follow\nIRS procedures to terminate these employees\xe2\x80\x99 access        Managers and system administrators\nprivileges. The existence of active user accounts for        did not follow IRS procedures to\nemployees who no longer have a business need             terminate employees\xe2\x80\x99 access privileges.\nposes an unnecessary risk for unauthorized\ndisclosure of taxpayer data. Out of the 54 employees\nwho separated from the IRS but still had active user accounts, we identified 5 user accounts that\nhad been accessed after the employees separated from the IRS.\nWe have previously reported the issue of unnecessary user accounts on systems in\napplication-specific reviews (see Appendix IV for specific reports.) The implementation of the\nOL5081 system has had little effect on this issue, even though the system gives managers and\n\n\n                                                                                           Page 5\n\x0c                       Managers and System Administrators Need to Limit\n                           Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\nsystem administrators a single place to identify employee access to multiple systems and initiate\nsystem separation action when an employee\xe2\x80\x99s responsibilities change.\nSome systems have the capability to automatically disable an employee\xe2\x80\x99s user account if he or\nshe had not accessed the system within a predetermined time period. The IRS requires that an\nemployee\xe2\x80\x99s access rights be disabled if he or she has not used a system within 45 days; access\nrights are to be removed from a system if not the employee has not accessed it within 90 days.\nSystem administrators had not configured the systems to ensure these requirements were met.\n\nEmployees\xe2\x80\x99 access capabilities were not always authorized or documented\n\nIn our sample of 652 employees, 513 employees had a business need to access the systems. As\npreviously indicated, a manager\xe2\x80\x99s authorization is required and must be documented prior to\ngranting a user system access. We found no\nindications on the OL5081 system that\n                                                             Managers did not carry out their\n128 (25 percent) of the 513 employees had been                  responsibilities, or system\nproperly authorized. We were also unable to find             administrators may have added\npaper copies of approved authorizations in the               employees to systems without a\nemployees\xe2\x80\x99 personnel folders or from the                         manager\xe2\x80\x99s authorization.\nemployees\xe2\x80\x99 current managers.\nWithout the Form 5081 information, it is impossible to determine how these employees obtained\naccess to the systems. We believe either managers did not carry out their responsibilities, or\nsystem administrators may have added employees to systems without a manager\xe2\x80\x99s authorization.\nWhen the IRS transitioned to the OL5081 system in July 2002, it attempted to enter all paper\nForms 5081 into the OL5081 system. We acknowledge this is an ongoing effort and could\nexplain why we were unable to find records on the OL5081 system for all user accounts in our\nsample. However, managers may not have carried out their responsibilities for ensuring all\nsystem users were added to the OL5081 system.\nAnother explanation for the lack of documentation is system administrators, rather than\nmanagers, authorized access to systems. Without documentation of access authorizations,\naccountability for granting access cannot be readily determined and the risk that employees had\nmore access than needed is increased.\nIn addition, managers and system administrators will be unable to use the OL5081 system to\nidentify all user accounts for employees who separate from the IRS. To illustrate, when the\n128 employees in our sample above separate from the IRS, the OL5081 system will not identify\nall systems to which the employees have access and the user accounts could remain active and\nuseable. If a former employee was able to enter an IRS facility and logon to an IRS computer,\nhe or she could access the system to obtain tax return data.\n\n                                                                                           Page 6\n\x0c                          Managers and System Administrators Need to Limit\n                              Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\nEmployees did not certify they were aware of IRS security procedures\n\nThe IRS requires systems users to know, understand, and agree to practice the rules of system\nuse, prior to accessing a system. Managers must ensure users acknowledge they understand the\nsystem security requirements, rules, and responsibilities prior to granting them system access.\nManagers must also ensure users annually recertify their awareness of the system security rules\nfor all systems to which access has been granted.\nThese requirements have been automated through the OL5081 system. When users request\naccess to a system, they need to acknowledge, in the OL5081 system, that they understand\nsystem security rules. In addition, the OL5081 system automatically sends email reminders to\nusers and their managers when annual recertification is needed.\nOf the 513 employees reviewed, 1735 (34 percent) did not meet their annual recertification\nrequirement indicating their understanding of IRS\nsecurity rules. Among these 173 employees were             Employees and managers did not act\n45 employees who had initially certified they               on recertification email reminders\nunderstood the security rules over 1 year ago but had       generated by the OL5081 system.\nnot annually recertified their awareness of the\nsecurity rules. It appears employees and managers\ndid not act on the recertification email reminders generated by the OL5081 system.\nRequiring employees to acknowledge security rules before being granted access to a system and\nrequiring annual recertification promotes employee awareness of security policies and can make\nthe IRS a more security-minded organization. In not doing so, employees could unknowingly\ncompromise security within the IRS. For example, the system security rules state employees\nmust protect their passwords at all times and should not share them with anyone else regardless\nof that person\xe2\x80\x99s position inside or outside the IRS. A TIGTA audit report6 on employees\xe2\x80\x99\nsusceptibility to social engineering tactics showed that 35 of 100 managers and employees\nprovided their user accounts and changed their passwords when we posed as an Information\nTechnology helpdesk employee.\nTo further ensure employees are aware of their security responsibilities, we believe the OL5081\nsystem could be used to systemically generate an email to system administrators for the purpose\nof disabling user accounts if employees had not recertified.\n\n\n\n5\n  The 173 employees include the 128 employees whose access rights were never entered into the OL5081 system.\nThere is no indication these 128 employees ever acknowledged the security rules.\n6\n  While Progress Has Been Made, Managers and Employees Are Still Susceptible to Social Engineering Techniques\n(Reference Number 2005-20-042, dated March 2005).\n                                                                                                      Page 7\n\x0c                       Managers and System Administrators Need to Limit\n                           Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\nRecommendations\nRecommendation 1: The Chief Information Officer should enforce current procedures on all\nsystems by configuring systems to automatically disable employees\xe2\x80\x99 accounts after 45 days of\ninactivity and to automatically delete the accounts after 90 days of inactivity.\n       Management\xe2\x80\x99s Response: The Chief Information Officer will issue a revised policy\n       statement requiring the timely deletion or disabling of inactive accounts in accordance\n       with current procedures. The policy statement will require each system and application\n       owner to identify inactive accounts and take the appropriate actions to ensure managers\n       and system administrators delete separated employees\xe2\x80\x99 accounts from the IRS network,\n       disable user accounts after 45 days of inactivity, and delete accounts after 90 days of\n       inactivity on all applicable systems and applications.\n       The Chief Information Officer\xe2\x80\x99s revised policy will also require each affected system and\n       application owner to evaluate the feasibility of automating the disabling and deletion of\n       unused accounts. The feasibility report will identify the systems and applications that can\n       be automated with a projected schedule to include implementation and completion dates.\n       A justification statement with detailed information will be prepared for each system and\n       application that cannot be automated.\nRecommendation 2: The Chief Information Officer should enhance the OL5081 system by\nautomatically generating reminders to system administrators when employees have not\nrecertified their awareness of security rules within 45 days. System administrators should\ndisable access privileges for those employees until they reapply for access and recertify their\nawareness of security rules. We believe these actions would highlight the importance of annual\nrecertification of system access for users and managers.\n       Management\xe2\x80\x99s Response: The Chief Information Officer has completed the\n       following actions. The OL5081 system was reprogrammed to provide account/system\n       administrators with automatic notifications that direct them to disable the accounts of\n       employees who are placed in a furloughed or other nonpay status and to generate\n       automatic notifications to \xe2\x80\x9cmanagers gaining new employees,\xe2\x80\x9d to validate these\n       employees\xe2\x80\x99 system accesses. In addition, the OL5081 system will default to the\n       recertification message requiring a manager to recertify his or her employees each time\n       the manager logs into the OL5081 system, prior to allowing the employees to perform\n       any other action.\n       In addition, the Chief Information Officer will ensure employee access privileges will be\n       disabled if employees fail to acknowledge or recertify the Information Technology\n       System Security Rules within 45 days of their notification for systems managed by the\n       Modernization and Information Technology Services (MITS) organization. For systems\n\n                                                                                           Page 8\n\x0c                       Managers and System Administrators Need to Limit\n                           Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n       managed by the business units, system administrators will receive notification and be\n       mandated to disable access privileges for those employees who fail to recertify. The\n       MITS organization will also review a report generated by the OL5081 system that lists all\n       accounts marked for disabling or deletion and notify the appropriate system owner if\n       further action is required.\nRecommendation 3: The Chief, Mission Assurance and Security Services, should coordinate\nwith the business units to include tests of access controls during annual self-assessments required\nby the FISMA. These tests should eventually increase all managers\xe2\x80\x99 awareness of their\nresponsibilities to limit employees\xe2\x80\x99 system access to those who need it to accomplish their\nresponsibilities, document authorizations to access the systems, and ensure employees recertify\ntheir awareness of security procedures.\n       Management\xe2\x80\x99s Response: The Chief, Mission Assurance and Security Services, will\n       coordinate with the other business units for conducting testing of access controls. The\n       testing of management, operational, and technical controls will be implemented as a part\n       of the IRS\xe2\x80\x99 annual FISMA processes.\n\n\n\n\n                                                                                            Page 9\n\x0c                          Managers and System Administrators Need to Limit\n                              Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n                                                                                               Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to assess the effectiveness of the Internal Revenue\nService\xe2\x80\x99s (IRS) controls over authorizing user access to its computer systems. To accomplish\nour objective, we:\nI.      Determined whether the Online 5081 (OL5081) system1 process is effective in reducing\n        risks associated with users\xe2\x80\x99 access to applications.\n        A.       Identified areas of responsibility and work flow processes for the OL5081 system\n                 by interviewing:\n                 1. Personnel in the Office of Information Technology Services to determine how\n                    the system works, the roles of different individuals (e.g., employee, manager,\n                    application project office, system administrators), and the current status of the\n                    application rollout implementation.\n                 2. Security personnel and system administrators to determine the procedures for\n                    adding and deleting employees and contractors from systems using the\n                    OL5081 system.\n        B.       Confirmed whether system users had acknowledged security rules and\n                 regulations.\n        C.       Determined whether the OL5081 system provided management with a\n                 notification when recertifications were due for users under its jurisdiction.\n        D.       Interviewed IRS management to ascertain why the OL5081 system process was\n                 not used when accesses to applications were being granted using a paper\n                 Information System User Registration/Change Request (Form 5081).\n        E.       Reviewed the process for establishing managerial approval for authorizing access\n                 and determined how those designations were kept current.\nII.     Determined whether user accounts had been established for only those individuals with a\n        business need.\n        A.       Identified all user accounts for the following five IRS systems:\n\n\n1\n  The OL5081 system was named after the Information User Registration/Change Request (Form 5081) the IRS uses\nto request and authorize user accounts for employees on all systems. The OL5081 system automates these processes\nand provides a centralized area for all system access authorizations.\n\n                                                                                                       Page 10\n\x0c                             Managers and System Administrators Need to Limit\n                                 Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n                    \xe2\x80\xa2   Appeals Centralized Database System.\n                    \xe2\x80\xa2   Automated Collection System.\n                    \xe2\x80\xa2   Automated Underreporter.\n                    \xe2\x80\xa2   Integrated Case Processing.\n                    \xe2\x80\xa2   Taxpayer Advocate Management Information System.\n                    These 5 systems were judgmentally selected from over 300 systems based on\n                    concurrent audit work on specific applications, sensitivity of data, applicability to\n                    IRS employees, and the availability of certain data fields (e.g., date last accessed).\n           B.       Judgmentally selected 66 managers located in several IRS offices.2 The managers\n                    were responsible for 652 employees with active user accounts on these 5 systems.\n                    We judgmentally selected the managers because we did not plan to project our\n                    audit results.\n           C.       Contacted the managers to determine whether the 652 users truly needed access to\n                    the systems.\n           D.       Obtained \xe2\x80\x9clast accessed\xe2\x80\x9d date for the sample of users selected to determine\n                    whether the users had accessed the application within 90 days. For user accounts\n                    not accessed within 90 days, we determined whether the account had been\n                    disabled or deleted, or we obtained an explanation as to why the user account was\n                    still active.\n           E.       Determined whether the selected applications had user accounts for separated\n                    employees by cross-referencing user accounts with separated employee data from\n                    the IRS\xe2\x80\x99 time and attendance system and the OL5081 system, respectively.\nIII.       Determined whether users had been properly authorized for access.\n           A.       Determined whether policies and guidelines had been followed and employees\n                    had been properly authorized for access to applications by obtaining the\n                    Form 5081 (electronic or paper) for the sample selected in Step II. B.\n           B.       Determined whether temporary authority to approve access to applications had\n                    been properly controlled.\n           C.       Determined whether recertifications were timely completed.\n\n\n\n       2\n        We could not readily determine the population of managers for each system because two of the five systems\n       did not contain manager names for each user account. For those systems, we had to conduct specific queries\n       and research the IRS\xe2\x80\x99 Discovery Directory to identify managers for our sample.\n\n                                                                                                          Page 11\n\x0c                      Managers and System Administrators Need to Limit\n                          Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nKent Sagara, Audit Manager\nMyron Gulley, Senior Auditor\nLouis Lee, Senior Auditor\nAbraham Millado, Senior Auditor\nMidori Ohno, Senior Auditor\nWilliam Simmons, Senior Auditor\n\n\n\n\n                                                                                         Page 12\n\x0c                     Managers and System Administrators Need to Limit\n                         Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Wage and Investment Division SE:W\nChief, Appeals AP\nNational Taxpayer Advocate TA\nAssociate Chief Information Officer, Information Technology Services OS:CIO:I\nDirector, Business Systems Development OS:CIO:I:B\nDirector, End User Equipment and Services OS:CIO:I:EU\nDirector, Enterprise Operations OS:CIO:I:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                                 Page 13\n\x0c                          Managers and System Administrators Need to Limit\n                              Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n                                                                                            Appendix IV\n\n       List of Treasury Inspector General for Tax\n    Administration Audit Reports With Unauthorized or\n           Unnecessary User Accounts Issues\n\nIn the following five Treasury Inspector General for Tax Administration audit reports, we\nreported employees had access to systems they did not need to carry out their responsibilities and\nuser accounts were available on systems that were not supported with an Information System\nUser Registration/Change Request (Form 5081).1 The lack of a Form 5081 indicated that access\nwas not properly authorized and users had not certified their awareness of security rules.\nThe Security of the Integrated Collection System Needs to Be Strengthened (Reference\nNumber 2003-20-119, dated May 2003).\nKey Security Controls of the Currency and Banking Retrieval System Have Not Been\nImplemented (Reference Number 2003-20-211, dated September 2003).\nInadequate Accountability and Training for Key Security Employees Contributed to Significant\nComputer Security Weaknesses (Reference Number 2004-20-027, dated January 2004).\nSecurity Controls for the Counsel Automated System Environment Management Information\nSystem Could Be Improved (Reference Number 2005-20-036, dated February 2005).\nSecurity Controls for the Appeals Centralized Database System Could Be Improved (Reference\nNumber 2005-20-069, dated March 2005).\n\n\n\n\n1\n The Internal Revenue Service established the Form 5081 to request and authorize employees\xe2\x80\x99 system user\naccounts.\n\n                                                                                                          Page 14\n\x0c                      Managers and System Administrators Need to Limit\n                          Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n                                                                               Appendix V\n\n Description of Internal Revenue Service Automated\n            Systems Selected for Review\n\nThe following Internal Revenue Service (IRS) systems were judgmentally selected based on\nconcurrent audit work on specific applications, sensitivity of data, applicability to IRS\nemployees, and the availability of certain data fields (e.g., date last accessed).\nAppeals Centralized Database System \xe2\x80\x93 An Appeals organization system used for case receipt,\ncontrol, and processing, as well as to record case activities and time charges.\nAutomated Collection System \xe2\x80\x93 A telephone contact system through which telephone assistors\ncollect unpaid taxes and secure tax returns from delinquent taxpayers who have not complied\nwith previous notices.\nAutomated Underreporter System \xe2\x80\x93 An automated system that matches taxpayer income and\ndeduction information submitted by third parties to amounts reported on individual income tax\nreturns.\nIntegrated Case Processing \xe2\x80\x93 An integrated system that provides employees with information\nto respond to a taxpayer inquiry and resolve most kinds of issues.\nTaxpayer Advocate Management Information System \xe2\x80\x93 A Taxpayer Advocate Service (TAS)\norganization system used to record and manage all case activity involving the handling and\nresolution of significant hardship cases and other taxpayer problems that fall within the TAS\norganization\xe2\x80\x99s jurisdiction.\n\n\n\n\n                                                                                       Page 15\n\x0c       Managers and System Administrators Need to Limit\n           Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                                 Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 16\n\x0cManagers and System Administrators Need to Limit\n    Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                                   Page 17\n\x0cManagers and System Administrators Need to Limit\n    Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                                   Page 18\n\x0cManagers and System Administrators Need to Limit\n    Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                                   Page 19\n\x0cManagers and System Administrators Need to Limit\n    Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                                   Page 20\n\x0cManagers and System Administrators Need to Limit\n    Employees\xe2\x80\x99 Access to Computer Systems\n\n\n\n\n                                                   Page 21\n\x0c'